我是使用Azure Active Directory实施的初学者。我有一个带有Azure Active Directory保护的WEB API(.net核心)。我正在尝试通过邮递员使用我的WEB API,我知道它需要Auth2令牌才能使用Web API。我已经按照此文档链接生成了auth2令牌。
生成Auth2令牌后,在标头中添加auth2令牌,例如,Authorization: Bearer e....
但结果始终显示如下图所示。
我确定我会在“ API权限”部分中提供所需的权限,并且在Azure Portal中“权限类型”是“委派的权限”。
请参阅我的启动课程:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(o =>
{
o.Filters.Add(new AuthorizeFilter("default"));
}).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddAuthorization(o =>
{
o.AddPolicy("default", policy =>
{
// Require the basic "Access app-name" claim by default
policy.RequireClaim(DotNetCoreApiSample.Authorization.Constants.ScopeClaimType, "user_impersonation");
});
});
services
.AddAuthentication(o =>
{
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = Configuration["Authentication:Authority"];
o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
// Both App ID URI and client id are valid audiences in the access token
ValidAudiences = new List<string>
{
Configuration["Authentication:AppIdUri"],
Configuration["Authentication:ClientId"]
}
};
});
// Add claims transformation to split the scope claim value
services.AddSingleton<IClaimsTransformation, AzureAdScopeClaimTransformation>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// Very important that this is before MVC (or anything that will require authentication)
app.UseAuthentication();
app.UseMvc();
}
}
根据我的测试,一旦配置了策略,就可以使用作用域{your resource url}/user_impersonation
要求访问令牌,然后可以使用访问令牌调用应用程序。否则,您将收到403错误。请通过链接检查您的访问令牌,以确保您的范围
我的测试代码如下1。 Stratup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
var tenatId = Configuration["AzureAd:TenantId"];
services
.AddAuthentication(o =>
{
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = "https://login.microsoftonline.com/<tenant id>/v2.0";
o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuers = new[] {
"https://sts.windows.net/<tenant id>/",
"https://login.microsoftonline.com/<tenant id>/v2.0"
},
// Both App ID URI and client id are valid audiences in the access token
ValidAudiences = new List<string>
{
"<app id>",
"<app id url>"
}
};
});
services.AddAuthorization(o =>
{
o.AddPolicy("default", policy =>
{
policy.RequireClaim("http://schemas.microsoft.com/identity/claims/scope", "user_impersonation");
});
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseAuthentication();
app.UseHttpsRedirection();
app.UseMvc();
}
测试
一种。获取访问令牌
b。调用api
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句